back to article VMware patches man-in-the-middle vSphere vuln

VMware has released an update to its vSphere Client which addresses a potential – but hard to target – man-in-the-middle vulnerability for the virtualization tool. The company said that users running vSphere Client 4.0, 4.1, 5.0, and 5.1 for Windows were vulnerable to a flaw that allows the client to download and install …

COMMENTS

This topic is closed for new posts.
  1. Alan W. Rateliff, II
    Paris Hilton

    Likelihood of attack minimal...

    Right. TJX and Target were both protected networks, not exposed to the public, too.

    1. Anonymous Coward
      WTF?

      Re: Likelihood of attack minimal...

      So VMWare's approach to mitigation on something this dangerous can be summed up as:

      "Ah c'mon! It's fine! I mean nobody would be dumb enough to expose ports on this thing or anything... right? Uh, guys? Right?"

  2. Anonymous Coward
    Anonymous Coward

    dear vmware

    Now would be the perfect time to allow administrators the opportunity to submit vcenter's CA csr to be signed by an external CA.

    signed: an admin who never enjoys telling users to click through a certificate error.

    1. GitMeMyShootinIrons

      Re: dear vmware

      Is this any help?

      http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2015421

      1. Anonymous Coward
        Anonymous Coward

        Re: dear vmware

        Close. I've seen that page and other vmware KBs, but what I want is for vcenter 5.5 to continue to maintain its own sub-ca, but prompt me and ask if I'd like to sign the internal CA they're about to create, myself. What vmware provide (and have for several versions) is a kludge. It would be much simpler if they would simply ask: do you want to sign this CA yourself? If you don't want to be bothered and can accept that you'll continue to have to tell users to accept the certificate (that they've just been warned about) reinforcing the belief that they can just click on Firefox's, Chrome's and IE's warnings every time they see one. Otherwise you can download the CSR, sign it using your company's CA, and upload the cert.

        This beef isn't limited to vmware. Splunk is similar, but I think I can using a single wildcard certificate to replace all of Splunk's certificates. And don't get me started on APC PDUs, unless you have solved this yourself and would like me to send you cash.

    2. DougMac

      Re: dear vmware

      This can be done.

      The latest code is a bit convoluted, so they released a tool to help you do it.

      There is a blogger that also has done up a tool chain and his own detailed instructions for the last two versions.

      Although I'm beginning to feel that just throwing it all behind a load balancer with SSL offload will be 100 times easier.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020